<!doctype html><!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en" > <![endif]--><!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en" >        <![endif]--><!--[if IE 8]>    <html class="no-js lt-ie9" lang="en" >               <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="en"><!--<![endif]--><head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="author" content="Joseph Edwards">
    <meta name="description" content="GwisinLocker is a new ransomware family that targets Linux in industrial and pharma companies with sophisticated &quot;double extortion&quot; ransomware campaigns.&nbsp;">
    <meta name="generator" content="HubSpot">
    <title>GwisinLocker ransomware&nbsp;targets South Korean industrial and pharma firms</title>
    <link rel="shortcut icon" href="https://www.reversinglabs.com/hubfs/favicons/android-chrome-512x512.png">
    

    
    <meta property="og:description" content="GwisinLocker is a new ransomware family that targets Linux in industrial and pharma companies with sophisticated &quot;double extortion&quot; ransomware campaigns.&nbsp;">
    <meta property="og:title" content="GwisinLocker ransomware&nbsp;targets South Korean industrial and pharma firms">
    <meta name="twitter:description" content="GwisinLocker is a new ransomware family that targets Linux in industrial and pharma companies with sophisticated &quot;double extortion&quot; ransomware campaigns.&nbsp;">
    <meta name="twitter:title" content="GwisinLocker ransomware&nbsp;targets South Korean industrial and pharma firms">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/38216899954/1683495050466/Modules/StickyBar/stickybar.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/11119463588/1690214555806/Redesign_june_2019/Coded_Files/CSS/Components/site-menu.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/11395383304/1628866683496/Redesign_june_2019/Coded_Files/CSS/Components/micromodal.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/1563505647497/module_11395370497_Redesign_june_2019_Custom_Modules_Site_Search_Input_-_Header_Modal.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/103636562700/1677161481432/module_103636562700_Footer_Categories_Text_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/87757605656/1666371595958/module_87757605656_Footer_Categories_Blog_Listing_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/36845096476/1683635695217/module_36845096476_Blog_listing_card_grid.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/80864562095/1659712321004/module_80864562095_Sidebar_Categories_Blog_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/80868056874/1659702739351/module_80868056874_Sidebar_Social_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/80857835930/1659449374148/module_80857835930_Sidebar_Blog_Subscribe_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/80864563080/1670427753922/module_80864563080_Sidebar_Blog_Favorite_Post_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/114796045952/1683726402031/module_114796045952_Sidebar_ConversingLabs_Latest_Post_Block_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/115016303498/1683726382481/module_115016303498_Sidebar_ReversingGlass_Latest_Post_Block_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/115021731904/1683728917797/module_115021731904_Sidebar_SPD_Latest_Post_Block_-_global.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/10777459487/1628866681200/Redesign_june_2019/Coded_Files/CSS/Components/footer-redesign-2019.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/10782554896/1684325396009/module_10782554896_Footer_-_Redesign_-_2019_-_Global.min.css">
    <script type="application/ld+json">
{
  "mainEntityOfPage" : {
    "@type" : "WebPage",
    "@id" : "https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies"
  },
  "author" : {
    "name" : "Joseph Edwards",
    "url" : "https://www.reversinglabs.com/blog/author/joseph-edwards",
    "@type" : "Person"
  },
  "headline" : "GwisinLocker ransomware targets South Korean industrial and pharma firms",
  "datePublished" : "2022-08-09T19:02:00.000Z",
  "dateModified" : "2022-08-09T19:03:06.692Z",
  "publisher" : {
    "name" : "Reversing Labs",
    "logo" : {
      "url" : "https://api.hubapi.com/avatars/v1/signed-uris/1CksKFQgEEhFyZXZlcnNpbmdsYWJzLmNvbRjCkdnlBSoeYnJhbmRpbmc6am9iczpvbmVvZmY6dXMtZWFzdC0xMgwxNzIuMTYuMTYuNzISGQB7DcdkuMipJ6vKC-8FGrA1ZRbhs4OVb_w",
      "@type" : "ImageObject"
    },
    "@type" : "Organization"
  },
  "@context" : "https://schema.org",
  "@type" : "BlogPosting",
  "image" : [ "https://3375217.fs1.hubspotusercontent-na1.net/hubfs/3375217/Blog/GwisinLocker-ransomware-targets-South-Korean-industrial-and-pharma-firms.png" ]
}
</script>


    

<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- LCP CLS-->
<style type="text/css">.row-fluid{*zoom:1;width:100%}.row-fluid:after,.row-fluid:before{content:"";display:table}.row-fluid:after{clear:both}.row-fluid [class*=span]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box;display:block;float:left;margin-left:2.127659574%;*margin-left:2.0744680846382977%;min-height:28px;width:100%}.row-fluid [class*=span]:first-child{margin-left:0}.row-fluid .span12{width:99.99999998999999%;*width:99.94680850063828%}.row-fluid .span11{width:91.489361693%;*width:91.4361702036383%}.row-fluid .span10{width:82.97872339599999%;*width:82.92553190663828%}.row-fluid .span9{width:74.468085099%;*width:74.4148936096383%}.row-fluid .span8{width:65.95744680199999%;*width:65.90425531263828%}.row-fluid .span7{width:57.446808505%;*width:57.3936170156383%}.row-fluid .span6{width:48.93617020799999%;*width:48.88297871863829%}.row-fluid .span5{width:40.425531911%;*width:40.3723404216383%}.row-fluid .span4{width:31.914893614%;*width:31.8617021246383%}.row-fluid .span3{width:23.404255317%;*width:23.3510638276383%}.row-fluid .span2{width:14.89361702%;*width:14.8404255306383%}.row-fluid .span1{width:6.382978723%;*width:6.329787233638298%}.container-fluid{*zoom:1}.container-fluid:after,.container-fluid:before{content:"";display:table}.container-fluid:after{clear:both}@media (max-width:767px){.row-fluid{width:100%}.row-fluid [class*=span]{display:block;float:none;margin-left:0;width:auto}}@media (min-width:768px) and (max-width:1139px){.row-fluid{*zoom:1;width:100%}.row-fluid:after,.row-fluid:before{content:"";display:table}.row-fluid:after{clear:both}.row-fluid [class*=span]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box;display:block;float:left;margin-left:2.762430939%;*margin-left:2.709239449638298%;min-height:28px;width:100%}.row-fluid [class*=span]:first-child{margin-left:0}.row-fluid .span12{width:99.999999993%;*width:99.9468085036383%}.row-fluid .span11{width:91.436464082%;*width:91.38327259263829%}.row-fluid .span10{width:82.87292817100001%;*width:82.8197366816383%}.row-fluid .span9{width:74.30939226%;*width:74.25620077063829%}.row-fluid .span8{width:65.74585634900001%;*width:65.6926648596383%}.row-fluid .span7{width:57.182320438000005%;*width:57.129128948638304%}.row-fluid .span6{width:48.618784527%;*width:48.5655930376383%}.row-fluid .span5{width:40.055248616%;*width:40.0020571266383%}.row-fluid .span4{width:31.491712705%;*width:31.4385212156383%}.row-fluid .span3{width:22.928176794%;*width:22.874985304638297%}.row-fluid .span2{width:14.364640883%;*width:14.311449393638298%}.row-fluid .span1{width:5.801104972%;*width:5.747913482638298%}}@media (min-width:1280px){.row-fluid{*zoom:1;width:100%}.row-fluid:after,.row-fluid:before{content:"";display:table}.row-fluid:after{clear:both}.row-fluid [class*=span]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box;display:block;float:left;margin-left:2.564102564%;*margin-left:2.510911074638298%;min-height:28px;width:100%}.row-fluid [class*=span]:first-child{margin-left:0}.row-fluid .span12{width:100%;*width:99.94680851063829%}.row-fluid .span11{width:91.45299145300001%;*width:91.3997999636383%}.row-fluid .span10{width:82.905982906%;*width:82.8527914166383%}.row-fluid .span9{width:74.358974359%;*width:74.30578286963829%}.row-fluid .span8{width:65.81196581200001%;*width:65.7587743226383%}.row-fluid .span7{width:57.264957265%;*width:57.2117657756383%}.row-fluid .span6{width:48.717948718%;*width:48.6647572286383%}.row-fluid .span5{width:40.170940171000005%;*width:40.117748681638304%}.row-fluid .span4{width:31.623931624%;*width:31.5707401346383%}.row-fluid .span3{width:23.076923077%;*width:23.0237315876383%}.row-fluid .span2{width:14.529914530000001%;*width:14.4767230406383%}.row-fluid .span1{width:5.982905983%;*width:5.929714493638298%}}.clearfix{*zoom:1}.clearfix:after,.clearfix:before{content:"";display:table}.clearfix:after{clear:both}.hide{display:none}.show{display:block}.hidden,.invisible{visibility:hidden}.hidden{display:none}.hidden-desktop,.visible-phone,.visible-tablet{display:none!important}@media (max-width:767px){.visible-phone{display:inherit!important}.hidden-phone{display:none!important}.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}}@media (min-width:768px) and (max-width:1139px){.visible-tablet{display:inherit!important}.hidden-tablet{display:none!important}.hidden-desktop{display:inherit!important}.visible-desktop{display:none!important}} img,video{height:auto;max-width:100%}.icon-facebook:before,.icon-instagram:before,.icon-linkedin:before,.icon-rss:before,.icon-twitter:before,[class*=" icon-"]:before,[class^=icon-]:before{speak:none;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;font-family:rl-icons!important;font-style:normal!important;font-variant:normal!important;font-weight:400!important;line-height:1;text-transform:none!important}.cta,article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}img{-ms-interpolation-mode:bicubic;border:0;vertical-align:bottom}.row-fluid [class*=span]{min-height:1px}audio,canvas,video{display:inline-block} .container-fluid .row-fluid .page-center{float:none;margin:0 auto!important;max-width:1400px;} *,:after,:before{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}body,html{margin:0;min-height:100%;padding:0}body{background:#fff;color:#484848;font-size:16px;font-weight:300;line-height:1.5}body,button{font-family:Roboto,Arial,Helvetica,sans-serif}h1,h2,h3,h4,h5,h6{color:#1f1f1f;font-weight:300}.cta,h1{font-weight:500}h1{font-size:50px}h2{font-size:42px}h3{color:#4c4c4c;font-size:40px}h3,h4{font-weight:300}a{color:#f2293c}a,a:focus,a:hover{text-decoration:none}.body-container p{margin:0 0 25px}.icon-twitter:before{content:"\66"}.icon-linkedin:before{content:"\68"}.icon-facebook:before{content:"\67"}.icon-instagram:before{content:"\77"}.icon-rss:before{content:"\72"}.cta{border:none;border-radius:4px;font-size:12px;margin-bottom:40px;outline:0;padding:14px 10px;text-align:center;text-transform:uppercase}@media (min-width:540px){.cta{display:inline-block;padding:14px 50px 13px}}.cta--red{background:#f6143f;color:#fff}.cta--light.cta--light{border:1px solid #333;color:#333;font-weight:400;transition:.2s}.hero__cta-container .cta--light{font-weight:500}.cta--lg{font-size:14px;margin:0;padding:10px 20px}@media (min-width:540px){.cta--lg{margin:10px auto 0;padding:16px 60px 13px}}.card__item-body-text{font-size:18px;line-height:1.4;color:#666;margin-bottom:20px}.card__item-body-text:last-child{margin-bottom:0}.card__image,.card__image-container{width:100%;min-height:1%}.card__image{align-self:center}.card__image:not(:last-child){margin-bottom:20px}.main-page-section .card__image{margin-bottom:0}.card__head{margin:0 0 20px;font-size:28px;font-weight:300;color:#484848;line-height:1.1}.cards--v2 .card__head{font-size:32px;text-align:center}.card__excerpt{margin:0 0 25px;color:#4c4c4c;font-size:14px;font-weight:300;line-height:1.5}.cards--v2 .card__excerpt{font-size:16px}.card__learn-more{width:100%;display:block;margin:auto 0 0;padding:15px;font-size:12px;font-weight:400;text-transform:uppercase;border-radius:4px;border:1px solid #999;color:#4c4c4c;text-align:center;transition:.2s}.cards--v2 .card__learn-more{font-size:14px}.body-container .card__learn-more{margin:auto 0 0}@media (min-width:540px){.card__item-inner-container-transparent{display:flex;flex-direction:column;align-items:flex-start;width:100%;height:100%;padding:5px;color:#333;transition:transform .2s}.card__item-main-title{font-size:60px}.card__item-important-body-text{font-size:24px}}@media (min-width:991px){.cards{margin-bottom:40px}.main-page-section .cards{align-items:stretch}.cards--benefits .card__item:nth-child(3) .card__image{margin-top:0}}@media (min-width:1200px){.main-page-section .card__item-text-content{padding-right:45px;padding-left:45px}.cards--row-4 .card__item-main-title{font-size:44px}}.stickybar .tns-outer{padding:0!important}.stickybar .tns-slider{-webkit-transition:none;-moz-transition:none;transition:none}.stickybar .tns-slider>.tns-item{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.stickybar .tns-ovh{overflow:hidden}.stickybar .tns-visually-hidden{left:-10000em;position:absolute}.stickybar .tns-vpfix{white-space:nowrap}.stickybar .tns-vpfix>div,.stickybar .tns-vpfix>li{display:inline-block}.stickybar{background-color:#ffde83;display:block;max-width:100%;position:fixed;z-index:200}.stickybar,.stickybar__item{height:70px;left:0;top:0;width:100%}.stickybar__item{align-items:center;display:flex;flex-direction:column;flex-wrap:wrap;font-family:Tungsten;justify-content:center;line-height:1;margin:0 auto;position:relative}.stickybar__link,.stickybar__text{margin:0 4px}.stickybar__text{color:#000;font-size:16px;font-weight:400;padding:0 10px 4px;text-align:center}.stickybar__text strong{font-weight:600}.stickybar__link{background-color:#f6143f;border-radius:2px;color:#fff;display:inline-block;font-size:16px;font-weight:400;letter-spacing:1px;padding:4px 10px}.stickybar__close-btn{align-items:center;background-color:transparent;color:#000;cursor:pointer;display:flex;height:22px;justify-content:center;opacity:.5;position:absolute;right:8px;top:10px;transition:.2s;width:22px}.stickybar__close-btn:before{content:"\61";font-family:rl-icons;font-size:16px}.rl-has-stickybar{margin-top:70px}.rl-has-stickybar .custom-header{top:70px!important}@media (min-width:540px){.stickybar{height:46px}.stickybar__item{flex-direction:row;height:46px}.stickybar__text{font-size:18px;padding:0}.rl-has-stickybar{margin-top:46px}.rl-has-stickybar .custom-header{top:46px!important}.rl-has-stickybar .header--landing-page{margin-top:46px!important}.rl-has-stickybar .page-menu__container--sticky{top:88px!important}.stickybar__close-btn{right:10px;top:11px}}@media (min-width:768px){.stickybar__text{font-size:20px;font-weight:100}.stickybar__link{font-size:18px;padding-left:20px;padding-right:20px}.stickybar__link,.stickybar__text{margin:0 10px}.stickybar__close-btn{right:15px}}@media (min-width:991px){.stickybar__text{font-size:24px}}</style>
<link rel="preload" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/6519964395/1685359416657/Reversing_Labs_November2018_Theme/Coded_Files/Reversing_Labs_November2018-style.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'">
<noscript><link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/6519964395/1685359416657/Reversing_Labs_November2018_Theme/Coded_Files/Reversing_Labs_November2018-style.min.css"></noscript>
<!-- end LCP CLS--> 
<meta name="google-site-verification" content="s4v_9FTp-yOMSOIG-AncB-m4uIke9tNd3uRdYtnJlic">
<link rel="shortcut icon" href="https://www.reversinglabs.com/hubfs/favicons/favicon.ico?v=XBJLaGAQax">
<link rel="apple-touch-icon" sizes="180x180" href="https://www.reversinglabs.com/hubfs/favicons/apple-touch-icon.png?v=XBJLaGAQax">
<link rel="icon" type="image/png" sizes="32x32" href="https://www.reversinglabs.com/hubfs/favicons/favicon-32x32.png?v=XBJLaGAQax">
<link rel="icon" type="image/png" sizes="16x16" href="https://www.reversinglabs.com/hubfs/favicons/favicon-16x16.png?v=XBJLaGAQax">
<link rel="manifest" href="https://www.reversinglabs.com/hubfs/favicons/site.webmanifest?v=XBJLaGAQax">
<link rel="mask-icon" href="https://www.reversinglabs.com/hubfs/favicons/safari-pinned-tab.svg?v=XBJLaGAQax" color="#f6143f">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="theme-color" content="#ffffff">
<meta property="og:site_name" content="ReversingLabs">
<meta property="og:url" content="https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies">
<meta name="twitter:site" content="@ReversingLabs">
<meta name="twitter:creator" content="@ReversingLabs">

<meta property="og:image" content="https://www.reversinglabs.com/hubfs/Blog/GwisinLocker-ransomware-targets-South-Korean-industrial-and-pharma-firms.png">
<meta name="twitter:image:src" content="https://3375217.fs1.hubspotusercontent-na1.net/hubfs/3375217/Blog/GwisinLocker-ransomware-targets-South-Korean-industrial-and-pharma-firms.png">

<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>



<script type="text/javascript">
function launchLightbox(val) {
   var players = VidyardV4.api.getPlayersByUUID(val);
   var player = players[0];
   player.showLightbox();
  }
</script>
<!-- Hotjar Tracking Code for Reversinglabs.com -->
<script>
    (function(h,o,t,j,a,r){
        h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
        h._hjSettings={hjid:3176008,hjsv:6};
        a=o.getElementsByTagName('head')[0];
        r=o.createElement('script');r.async=1;
        r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
        a.appendChild(r);
    })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');
</script>
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-MKL9P8B');</script>
<!-- End Google Tag Manager -->
<!-- Facebook Pixel Code --> <script nonce="NbVPjUme"> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '1076912843267184'); fbq('track', "Lead");</script> <noscript>&lt;img  height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;amp;ev=PageView&amp;amp;noscript=1"&gt;</noscript> <!-- End Facebook Pixel Code -->
<meta property="og:image" content="https://www.reversinglabs.com/hubfs/Blog/GwisinLocker-ransomware-targets-South-Korean-industrial-and-pharma-firms.png#keepProtocol">
<meta property="og:image:alt" content="GwisinLocker ransomware&nbsp;targets South Korean industrial and pharma firms">
<meta name="twitter:image" content="https://www.reversinglabs.com/hubfs/Blog/GwisinLocker-ransomware-targets-South-Korean-industrial-and-pharma-firms.png#keepProtocol">
<meta name="twitter:image:alt" content="GwisinLocker ransomware&nbsp;targets South Korean industrial and pharma firms">

<meta property="og:url" content="https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies">
<meta name="twitter:card" content="summary">
<meta name="twitter:creator" content="@Xtemporality">

<link rel="canonical" href="https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies">

<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://www.reversinglabs.com/blog/rss.xml">
<meta name="twitter:domain" content="www.reversinglabs.com">
<meta name="twitter:site" content="@ReversingLabs">
<script src="//platform.linkedin.com/in.js" type="text/javascript">
    lang: en_US
</script>

<meta http-equiv="content-language" content="en">
<link rel="stylesheet" href="//cdn2.hubspot.net/hub/7052064/hub_generated/template_assets/1692732890762/hubspot/hubspot_default/shared/responsive/layout.min.css">

<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/5951651806/1659964887293/Reversinglabs_July2018_Theme/Coded_Files/RL-custom.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/6519964395/1685359416657/Reversing_Labs_November2018_Theme/Coded_Files/Reversing_Labs_November2018-style.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/10528761402/1689162268961/Redesign_june_2019/Coded_Files/CSS/Modules/site-redesign-june-2019.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/23712622487/1628866682579/Coded_files/Modules/blog.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/70521421874/1671120024586/Redesign_june_2019/Coded_Files/CSS/Modules/conversing.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/6021532803/1569840493756/Reversinglabs_July2018_Theme/Coded_Files/simplelightbox.min.css">
<link rel="stylesheet" href="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/11708570900/1657723424898/Modules/Tag_list_-_inline/tag-list.min.css">




</head>
<body class="blog wide-layout rd-2019   hs-content-id-81113493911 hs-blog-post hs-blog-id-5901382633" style="">
    <div class="header-container-wrapper">
    <div class="header-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/11118979719.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell custom-header custom-header--dark" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1586447900346167" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">





  
    
  
    
  
    
  
    
  
    
  
    
  
    
  
    
  
  



  <div class="stickybar" style="opacity: 0;" data-slider-speed="5000" data-cookie-exp="100" data-init-slider="true">
    <div class="stickybar__inner-container">
      
      <div class="stickybar__item" style="background-color: #FFF2CC">
        <div class="stickybar__text" style="color: #000000"><strong>ReversingGlass:&nbsp;Key Concepts in App Sec and Software Supply Chain Security Explained...in under 5 minutes.</strong></div>
        <a class="stickybar__link" style="background-color: #f7143f; color: #ffffff" href="https://www.reversinglabs.com/reversingglass" target="_blank">
          Watch Now
        </a>
      </div>
      
      <div class="stickybar__item" style="background-color: #E0EBFE">
        <div class="stickybar__text" style="color: #000000"><strong>Read the LATEST Software Supply Chain Security Risk Report</strong></div>
        <a class="stickybar__link" style="background-color: #FF004F; color: #fff" href="https://www.reversinglabs.com/software-supply-chain-security-risk-report" target="_blank">
          Read Now
        </a>
      </div>
      
      <div class="stickybar__item" style="background-color: #BCBAFF">
        <div class="stickybar__text" style="color: #000000"><strong>Deconstructing OneDrive and Dropbox: A Cloud Storage App Throwdown on 9/7</strong></div>
        <a class="stickybar__link" style="background-color: #FF004F; color: #fff" href="https://www.reversinglabs.com/software-package-deconstruction-series/deconstructing-onedrive-dropbox-" target="_blank">
          Register Now
        </a>
      </div>
      
    </div>
    
      <div class="stickybar__close-btn"></div>
    
  </div>
</div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-3 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell page-center" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-4 ">
<div class="row-fluid ">
<div class="span2 widget-span widget-type-custom_widget custom-logo" style="" data-widget-type="custom_widget" data-x="0" data-w="2">
<div id="hs_cos_wrapper_module_154218089042425" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-logo" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="hs-logo">
  <a href="https://www.reversinglabs.com">
    
    <img src="https://www.reversinglabs.com/hubfs/Reversing_Labs_November%202018/Images/rl-com-logo.svg" alt="Reversing labs">
    
  </a>
</div></div>

</div><!--end widget-span -->
<div class="span10 widget-span widget-type-cell " style="" data-widget-type="cell" data-x="2" data-w="10">

<div class="row-fluid-wrapper row-depth-1 row-number-5 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget rd-site-menu" style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1562750607510155" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><nav class="rd-site-menu__inner">
  <div class="rd-site-menu__controls">
    <span class="icon-menu"></span>
    <span class="icon-times"></span>
  </div>
  <div class="rd-site-menu__items-container">
    <div class="rd-site-menu__items rd-site-menu__items--main">
    
      
      <span class="rd-site-menu__item 
          
          ">
          <span class="rd-site-menu__item-inner-container">
            <span class="rd-site-menu__item-text">Solutions</span>
            <span class="rd-site-menu__item-chevron"></span>
          </span>  
          
            
            <div class="rd-site-menu__sub-items-container">
              <div class="rd-site-menu__sub-items">
              
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Software Supply Chain Security</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/protect-against-software-supply-chain-attacks" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Software Supply Chain Security</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/software-bill-of-materials-sbom" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Software Bill of Materials</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/manage-3rd-party-software-risks" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Verify Third Party Software</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/secure-software-release-processes" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Verify Software Build &amp; Release</span>
              </a>
              
              
          
            
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Automate SOC Support</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/triage-alerts-faster" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Triage</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/automate-incident-response" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Incident Response</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/siem-soar-automated-static-analysis" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">SIEM/SOAR</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/cloud-file-share-protection" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Protect Cloud File Shares</span>
              </a>
              
              
          
            
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Optimize Threat Hunting</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/ransomware-feed" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Ransomware Feed</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/advance-your-malware-lab" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Malware Lab</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/hunt-threats-continuously" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Threat Hunting</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/sandbox-malware-analysis" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Sandbox</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/phishing-attack-prevention" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Email</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/edr-malware-detection-integration" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">EDR</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/threat-intelligence-integration" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Threat Intelligence Platforms</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/solutions/reversinglabs-threat-intelligence-for-microsoft-sentinel" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Threat Intelligence for Microsoft Sentinel</span>
              </a>
              
              
              </div>
            </div>
            
          
      </span>
      
    
      
      <span class="rd-site-menu__item 
          
          ">
          <span class="rd-site-menu__item-inner-container">
            <span class="rd-site-menu__item-text">Platform &amp; Products</span>
            <span class="rd-site-menu__item-chevron"></span>
          </span>  
          
            
            <div class="rd-site-menu__sub-items-container">
              <div class="rd-site-menu__sub-items">
              
              
              <a href="https://www.reversinglabs.com/products/malware-analysis-platform" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Titanium Platform</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/products/software-supply-chain-security" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingLabs Software Supply Chain Security</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/products/file-reputation-service" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingLabs Threat Intelligence</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/products/reversinglabs-cloud-deep-scan" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingLabs Cloud Deep Scan</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/products/enterprise-scale-file-anlaysis-software" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingLabs Elastic Threat Infrastructure</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/products/malware-threat-hunting-and-investigations" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingLabs Threat Analysis &amp; Hunting</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/products/open-source-yara-rules" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Free: Open-Source YARA Rules</span>
              </a>
              
              
              </div>
            </div>
            
          
      </span>
      
    
      
      <span class="rd-site-menu__item 
          
          ">
          <span class="rd-site-menu__item-inner-container">
            <span class="rd-site-menu__item-text">Why Us</span>
            <span class="rd-site-menu__item-chevron"></span>
          </span>  
          
            
            <div class="rd-site-menu__sub-items-container">
              <div class="rd-site-menu__sub-items">
              
              
              <a href="https://www.reversinglabs.com/why-choose-reversinglabs" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Why Choose ReversingLabs</span>
              </a>
              
              
              </div>
            </div>
            
          
      </span>
      
    
      
      <span class="rd-site-menu__item 
          
          ">
          <span class="rd-site-menu__item-inner-container">
            <span class="rd-site-menu__item-text">Partners</span>
            <span class="rd-site-menu__item-chevron"></span>
          </span>  
          
            
            <div class="rd-site-menu__sub-items-container">
              <div class="rd-site-menu__sub-items">
              
              
              <a href="https://www.reversinglabs.com/reseller-partners" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">GSI &amp; Reseller Partners</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/integration-partners" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Integration Partners</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/security-vendors" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Security Partners</span>
              </a>
              
              
          
            
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Alliances</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/alliances/synopsys" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingLabs and Synopsys</span>
              </a>
              
              
              </div>
            </div>
            
          
      </span>
      
    
      
      <span class="rd-site-menu__item 
          
          ">
          <span class="rd-site-menu__item-inner-container">
            <span class="rd-site-menu__item-text">Resources</span>
            <span class="rd-site-menu__item-chevron"></span>
          </span>  
          
            
            <div class="rd-site-menu__sub-items-container">
              <div class="rd-site-menu__sub-items">
              
              
              <a href="https://www.reversinglabs.com/resources" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Content Library</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/webinars" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Webinars</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/software-package-deconstruction-series" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Software Deconstruction Demo Series</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/reversingglass" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ReversingGlass: Concepts Explained</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/conversinglabs" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">ConversingLabs Podcast</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/from-the-labs" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">From the Labs: YARA Rules</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/demo-videos" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Demo Videos</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/learning-with-reversinglabs" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Learning with ReversingLabs</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/reversinglabs-threat-intelligence-quiz" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Threat Intelligence Quiz</span>
              </a>
              
              
              </div>
            </div>
            
          
      </span>
      
    
      
      <span class="rd-site-menu__item 
          
          ">
          <span class="rd-site-menu__item-inner-container">
            <span class="rd-site-menu__item-text">Company</span>
            <span class="rd-site-menu__item-chevron"></span>
          </span>  
          
            
            <div class="rd-site-menu__sub-items-container">
              <div class="rd-site-menu__sub-items">
              
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Company</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/company/about-us" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">About Us</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/company/leadership" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Leadership</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/company/careers" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Careers</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/crosspoint-capital-leads-investment-in-software-security-pioneer-reversinglabs" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Series B Investment</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/blog/tag/events-announcements" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Company News</span>
              </a>
              
              
          
            
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Events</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/events" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Events</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/black-hat-usa-2023" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Hacker Summer Camp 2023</span>
              </a>
              
              
          
            
              
              <span class="rd-site-menu__sub-item rd-site-menu__sub-item--no-link">
                <span class="rd-site-menu__item-text">Press</span>
              </span>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/newsroom/press-releases" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">Press Releases</span>
              </a>
              
              
          
            
              
              <a href="https://www.reversinglabs.com/newsroom/news" class="rd-site-menu__sub-item">
                <span class="rd-site-menu__item-text">In the News</span>
              </a>
              
              
              </div>
            </div>
            
          
      </span>
      
    
      
      <a href="https://register.reversinglabs.com/demo" class="rd-site-menu__item 
          rd-site-menu__item--highlight
          rd-site-menu__item--highlight-red">
        <span class="rd-site-menu__item-text">Demo</span>
      </a>
      
    
    </div>
    <div class="rd-site-menu__items rd-site-menu__items--top">
      
      
      <span class="rd-site-menu__item 
          rd-site-menu__item--search">
        <span class="rd-site-menu__item-text">Search</span>
      </span>
      
      
      
      <a href="https://www.reversinglabs.com/contact-us" class="rd-site-menu__item 
          rd-site-menu__item--highlight
          ">
        <span class="rd-site-menu__item-text">Contact Us</span>
      </a>
      
      
      
      <a href="https://support.reversinglabs.com/hc/en-us/restricted" class="rd-site-menu__item 
          
          ">
        <span class="rd-site-menu__item-text">Support</span>
      </a>
      
      
      
      <a href="https://rli.reversinglabs.com/accounts/login/" class="rd-site-menu__item 
          
          ">
        <span class="rd-site-menu__item-text">Login</span>
      </a>
      
      
      
      <a href="https://www.reversinglabs.com/blog" class="rd-site-menu__item 
          
          ">
        <span class="rd-site-menu__item-text">Blog</span>
      </a>
      
      
      
      <a href="https://www.secure.software" class="rd-site-menu__item 
          
          ">
        <span class="rd-site-menu__item-text">Developer Portal</span>
      </a>
      
      
    </div>
  </div>
</nav></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-6 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_156348961026185" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">

<div class="modal modal--search-only micromodal-slide" id="modal-site-search" aria-hidden="true">
  <div class="modal__overlay" tabindex="-1" data-micromodal-close>
    <div class="modal__container" role="dialog" aria-modal="true" aria-labelledby="modal-1-title">
      <span class="modal__close" aria-label="Close modal" data-micromodal-close></span>    
      <main class="modal__content" id="modal-1-content">
        <form action="/hs-search-results" class="modal__form">
          <input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Search reversinglabs.com">
          
          
            <input type="hidden" name="type" value="SITE_PAGE">
          
          
            <input type="hidden" name="type" value="LANDING_PAGE">
          
          
            <input type="hidden" name="type" value="BLOG_POST">
            <input type="hidden" name="type" value="LISTING_PAGE">
          
          

          
            <button aria-label="Search" class="modal__search-button"><span id="hs_cos_wrapper_module_156348961026185_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_icon" style="" data-hs-cos-general-type="widget" data-hs-cos-type="icon"><svg version="1.0" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 512 512" aria-hidden="true"><g id="search1_layer"><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z" /></g></svg></span></button>
          
        </form>
      </main>
    </div>
  </div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end header -->
</div><!--end header wrapper -->

<div class="body-container-wrapper">
    <div class="body-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1564575192849158" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="custom-banner-image" style="background-image:url(https://www.reversinglabs.com/hubfs/images_redesign_2019/hero_bg_small_2019.jpg)">
   <div class="page-center">
     
  		<h2 class="hero__head"><a href="https://www.reversinglabs.com/blog">ReversingLabs Blog</a></h2>
     
  </div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell page-center content-wrapper conversing__wrapper" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-3 ">
<div class="row-fluid ">
<div class="span8 widget-span widget-type-cell blog-content" style="" data-widget-type="cell" data-x="0" data-w="8">

<div class="row-fluid-wrapper row-depth-1 row-number-4 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1523032069834331" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-blog_content" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
    <div class="blog-section">
<div class="blog-post-wrapper cell-wrapper">
<div class="blog-section">
<div class="blog-post-wrapper cell-wrapper">
<div class="custom-blog-date post">  
<span class="custom-topic">
<div id="hs_cos_wrapper_module_165901111278147" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
<!--Threat Research sorted tags -->
<a class="topic-link" href="https://www.reversinglabs.com/blog/tag/threat-research">Threat Research</a>
<!--Ransomware sorted tags -->
</div>
</span>
| 
<span class="custom-post-date">
August 9, 2022
</span>
</div>
<div class="section post-header">
<h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">GwisinLocker ransomware&nbsp;targets South Korean industrial and pharma firms</span></h1>
<div id="hs_cos_wrapper_module_1577203992502740" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
</div>
</div>
<div class="author-short-info__container">
<div class="author-short-info">
<div class="author-short-info__image-container">
<img class="author-short-info__image" src="https://www.reversinglabs.com/hubfs/Imported_Blog_Media/authors/joseph-edwards-blog-author.jpg" alt="Joseph Edwards">
</div>
<div class="author-short-info__text-container">
<span class="author-short-info__text-label">Blog Author</span>
<p class="author-short-info__name-bio">
Joseph Edwards, Senior Malware Researcher at ReversingLabs.&nbsp;<a href="https://www.reversinglabs.com/blog/author/joseph-edwards">Read More...</a>
</p>
</div>
</div>
</div>
<ul class="blog-post__social-list">
<li>
<a class="share_facebook" href="javascript:;" title="Facebook" onclick="window.open('http://www.facebook.com/sharer/sharer.php?u=https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies','Facebook Share','width=600,height=600')">
<span class="icon-facebook"></span>
</a>
</li>
<li>
<a class="share_twitter" href="javascript:;" title="Twitter" onclick="window.open('https://twitter.com/intent/tweet?url=https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies&amp;text=GwisinLocker ransomware targets South Korean industrial and pharma firms','Twitter Share','width=600,height=600')">
<span class="icon-twitter"></span>
</a>
</li>
<li>
<a class="share_linkedin" href="javascript:;" title="Linkedin" target="popup" onclick="window.open('http://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies','LinkedIn Share','width=600,height=600')">
<span class="icon-linkedin"></span>
</a>
</li>
<li>
<a class="share_email" href="mailto:?body=https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies" title="Email">
<span class="icon-envelope-o"></span>
</a>
</li>
</ul>   
<div id="hs_cos_wrapper_module_1577204345802754" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"></div>
<div class="section post-body">
<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><img src="https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=4600&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg" alt="AdobeStock_168947835_ghost_ransomware" width="4600" loading="lazy" style="width: 4600px;" srcset="https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=2300&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg 2300w, https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=4600&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg 4600w, https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=6900&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg 6900w, https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=9200&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg 9200w, https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=11500&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg 11500w, https://www.reversinglabs.com/hs-fs/hubfs/AdobeStock_168947835_ghost_ransomware.jpeg?width=13800&amp;name=AdobeStock_168947835_ghost_ransomware.jpeg 13800w" sizes="(max-width: 4600px) 100vw, 4600px"></p>
<p>Taking its name from “Gwisin,” a Korean term for “ghost” or “spirit,” GwisinLocker is a new ransomware family that targets South Korean industrial and pharmaceutical companies.&nbsp;</p>
<!--more-->
<h2 style="font-size: 24px; font-weight: bold;">Executive Summary</h2>
<p>ReversingLabs researchers discovered a new ransomware family targeting Linux-based systems. The malware, dubbed GwisinLocker was detected in successful campaigns targeting South Korean industrial and pharmaceutical firms. The malware is notable for being a new malware variant produced by a previously little known threat actor, dubbed “Gwisin” (귀신) — a Korean word meaning ‘ghost’ or ‘spirit’ — and targeting systems running the open source Linux operating system. The ransomware is deployed following a substantial network compromise and data exfiltration.</p>
<h2 style="font-size: 24px; font-weight: bold;">Analysis</h2>
<p style="font-weight: bold;">Background</p>
<p>On July 19th in the course of threat hunting, ReversingLabs researchers discovered an undetected Linux ransomware sample which bore the markers of a Gwisin campaign. We have chosen to name this malware GwisinLocker.Linux for clarity, as versions of the malware affecting Windows systems have also been identified.</p>
<p>Gwisin is a ransomware group targeting South Korean industrial and pharmaceutical companies. The name "Gwisin” (귀신) refers to the Korean term for a ghost or spirit. The Gwisin group was first referenced in a report on new ransomware actors in <a href="https://www.boannews.com/media/view.asp?idx=108704">Q3 2021</a>, but have maintained a relatively low profile. To date, there has not been a public technical analysis of the group’s ransomware. This blog post will attempt to describe the new threat based on samples obtained in the wild and analyzed by ReversingLabs, as well as published reports describing attacks associated with the malware.&nbsp;</p>
<p style="font-size: 18px; font-weight: bold;">Configuration</p>
<p>The GwisinLocker.Linux samples can be run with the following options (descriptions were removed by the malware authors, but inferred from analysis):</p>
<p><span style="font-family: terminal, monospace;">Usage: Usage</span><br><span style="font-family: terminal, monospace;">-h, --help&nbsp; &nbsp; show this help message and exit</span><br><span style="font-family: terminal, monospace;">Options</span><br><span style="font-family: terminal, monospace;">-p, --vp=&lt;str&gt; Comma-separated list of paths to encrypt</span><br><span style="font-family: terminal, monospace;">-m, --vm=&lt;int&gt; Kills VM processes if 1; Stops services and processes if 2</span><br><span style="font-family: terminal, monospace;">-s, --vs=&lt;int&gt; Seconds to sleep before execution</span><br><span style="font-family: terminal, monospace;">-z, --sf=&lt;int&gt; Skip encrypting ESXi-related files (those excluded in the configuration)</span><br><span style="font-family: terminal, monospace;">-d, --sd=&lt;int&gt; Self-delete after completion</span><br><span style="font-family: terminal, monospace;">-y, --pd=&lt;str&gt; Writes the specified text to a file of the same name</span><br><span style="font-family: terminal, monospace;">-t, --tb=&lt;int&gt; Enters loop if Unix time is &lt; 4 hours since epoch</span></p>
<p style="font-size: 18px; font-weight: bold;">Operation</p>
<p>First, the malware redirects the standard input, standard output and standard error file descriptors to /dev/null to avoid outputting debug or error strings. Both the 32-bit and 64-bit samples used the file /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe as a mutex, writing a lock to the file. If GwisinLocker reads a lock set on this file, it exits immediately.</p>
<p>Next, the GwisinLocker.Linux ransomware decrypts its configuration data. GwisinLocker.Linux's configuration is embedded in the malware, encrypted with a hard-coded RC4 key. The JSON configuration was the same in both samples and includes a list of excluded and targeted files.</p>
<p>The following directories are excluded from encryption to prevent Linux operating system crashes:</p>
<p><span style="font-family: terminal, monospace;">"bin","boot","dev","etc","lib","lib64","proc","run","sbin","srv","sys","tmp","usr","var","bootbank","mbr","tardisks","tardisks.noauto","vmimages"</span></p>
<p>These services and related processes are killed before encryption (if the --vm=2 option is set) to ensure open file handles are closed:</p>
<p><span style="font-family: terminal, monospace;">"apache","httpd","nginx","oracle","mysql","mariadb","postgres","mongod","elasticsearch","jenkins","gitlab","docker","svnserve","yona","zabbix","graylog","java"</span></p>
<p>The following filenames are excluded from encryption (if the --sf option is set), as they are important for VMWare ESXI operations. Perhaps the threat actors intended to maintain access to ESXi virtual machines. The ransom notes are also excluded.</p>
<p><span style="font-family: terminal, monospace;">"imgdb.tgz","onetime.tgz","state.tgz","useropts.gz","jumpstrt.gz","imgpayld.tgz","features.gz","!!!_HOW_TO_UNLOCK_MCRGNX_FILES_!!!.TXT"</span></p>
<p>These directories were specifically targeted by Gwisin to encrypt operational data:</p>
<p><span style="font-family: terminal, monospace;">"/Information/Database/","/Information/korea_data/","/Information/","/Infra/","/var/www/","/var/opt/","/var/lib/mysql/","/var/lib/postgresql/","/var/log/","/usr/local/svn/","/var/lib/docker","/var/db/mongodb","/var/lib/mongodb/","/var/lib/elasticsearch/","/u01/","/ORCL/","/var/lib/graylog-server/","/usr/local/"</span></p>
<p>Once the command-line arguments are parsed, GwisinLocker enumerates the number of processors and creates up to 100 threads. The directories to be encrypted are specified with the --vp option, or by default include the list of directories in the configuration.&nbsp;</p>
<p>If the --vm=1 option is supplied, the ransomware executes the following commands to shut down VMWare ESXi machines before encryption:</p>
<p><span style="font-family: terminal, monospace;">esxcli --formatter=csv --format-param=fields=="DisplayName,WorldID" vm process list</span></p>
<p><span style="font-family: terminal, monospace;">esxcli vm process kill --type=force --world-id="[ESXi] Shutting down - %s"</span></p>
<p style="font-size: 24px; font-weight: bold;">Impact</p>
<p>Files encrypted in this GwisinLocker campaign carry the extension .mcrgnx, and the file's corresponding key is stored (encrypted) in a separate 256-byte file with the extension .mcrgnx0. GwisinLocker employs AES to encrypt victim files, hiding the key to prevent convenient decryption. In addition, compromised endpoints are renamed 'GWISIN Ghost,’ according to published reports.&nbsp;</p>
<h2 style="font-size: 24px; font-weight: bold;">Encryption</h2>
<p>GwisinLocker combines AES symmetric-key encryption with SHA256 hashing, generating a unique key for each file. The following steps occur when a file is encrypted:</p>
<ol>
<li aria-level="1">
<ol style="font-size: 18px;" data-stringify-type="ordered-list" data-indent="0" data-border="0">
<li data-stringify-indent="0" data-stringify-border="0">1. Initialize RSA context from embedded public key</li>
<li data-stringify-indent="0" data-stringify-border="0">&nbsp;</li>
<li data-stringify-indent="0" data-stringify-border="0">2. Generate random AES key and IV:</li>
</ol>
<ul style="font-size: 18px;" data-stringify-type="unordered-list" data-indent="1" data-border="0">
<li data-stringify-indent="1" data-stringify-border="0">Initialize new SHA256 context</li>
<li data-stringify-indent="1" data-stringify-border="0">Read 32 bytes from /dev/urandom, hash with SHA256 context</li>
<li data-stringify-indent="1" data-stringify-border="0">Utilize SHA256 digest as a key to initialize AES context and generate AES key</li>
<li data-stringify-indent="1" data-stringify-border="0">Repeat steps 1-3 with 16 new bytes from /dev/urandom to generate an Initialization Vector</li>
</ul>
<ol style="font-size: 18px;" data-stringify-type="ordered-list" data-indent="0" data-border="0">
<li data-stringify-indent="0" data-stringify-border="0">3. Rename the target file to<span>&nbsp;</span><strong data-stringify-type="bold">[targetfile].mcrgnx</strong></li>
<li data-stringify-indent="0" data-stringify-border="0"><br>4. Encrypt and store the AES key in the file<span>&nbsp;</span><strong data-stringify-type="bold">[targetfile].mcrgnx0</strong>:</li>
</ol>
<ul style="font-size: 18px;" data-stringify-type="unordered-list" data-indent="1" data-border="0">
<li data-stringify-indent="1" data-stringify-border="0">Initialize new SHA256 context</li>
<li data-stringify-indent="1" data-stringify-border="0">Read 32 bytes from /dev/urandom, hash with SHA256 context</li>
<li data-stringify-indent="1" data-stringify-border="0">Utilize SHA256 digest as a key to initialize AES context and generate AES key 2</li>
<li data-stringify-indent="1" data-stringify-border="0">Encrypt AES key from Part 1 with AES key 2</li>
<li data-stringify-indent="1" data-stringify-border="0">Encrypt the resulting buffer with RSA context</li>
<li data-stringify-indent="1" data-stringify-border="0">Write encrypted key to<span>&nbsp;</span><strong data-stringify-type="bold">[targetfile].mcrgnx0</strong></li>
</ul>
<ol style="font-size: 18px;" data-stringify-type="ordered-list" data-indent="0" data-border="0">
<li data-stringify-indent="0" data-stringify-border="0">5. Lastly, encrypt<span>&nbsp;</span><strong data-stringify-type="bold">[targetfile].mcrgnx</strong><span>&nbsp;</span>with the unencrypted AES key and IV generated in step 1.</li>
</ol>
</li>
<li aria-level="1">&nbsp;</li>
<li aria-level="1">
<h2 style="font-weight: bold; font-size: 24px;">Targets</h2>
</li>
</ol>
<p>According to <a href="https://www.boannews.com/media/view.asp?idx=108704">published reports in South Korean media</a>, the Gwisin threat actors focus exclusively on South Korean firms. The group attacked large domestic pharmaceutical companies in 2022. In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) - looking to take advantage of periods in which staffing and monitoring within target environments were relaxed.&nbsp;</p>
<p>In communications with its victims, the Gwisin group claim to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company. Ransom notes associated with GwisinLocker.Linux contain detailed internal information from the compromised environment. Encrypted files use file extensions customized to use the name of the victim company.&nbsp;</p>
<h2 style="font-weight: bold; font-size: 24px;">Ransom Note</h2>
<p>According to published reports, GwisinLocker.Linux ransom notes are text format files written in English and created in the same target folder as encrypted files. The name of the ransom note is typically “!!!_HOW_TO_UNLOCK_******_FILES_!!!.TXT.” The note includes contact information, along with a list of data and intellectual property stolen from within the company.</p>
<p>Though the ransom notes are written in English, they contain references that make clear the intended targets are South Korean firms. That includes the use of Hangul (Korean language script) characters and explicit warnings to victims not to contact a range of South Korean law enforcement or government agencies including the Korean police, the National Intelligence Service, and KISA.&nbsp;</p>
<p style="font-size: 18px; font-weight: bold;"><span style="color: #434343;">Sample Ransom Note</span></p>
<p>The following is a (redacted) copy of a GwisinLocker ransom note.</p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">Hello [REDACTED],<br></span><span style="font-family: 'Courier New', Courier, monospace;">You have been visited by GWISIN.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">We have exfiltrated a lot of sensitive data from your networks, <br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">including, but not limited to:</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">I. Production applications, source (Git/SVN), files and DBs<br></span><span style="font-family: 'Courier New', Courier, monospace;">[1] [REDACTED] (all regions) + [REDACTED] and other internal platforms</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">By combining lab [REDACTED] data and the primary big customer platform <br>[REDACTED], it is easy to identify customer projects, credentials and data. <br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">Despite ISO27001 and ISMS-P with a good PIMS strategy, you have failed to </span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">protect customer data across all services.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">Your privacy policy assures customers their data security and privacy is top priority, reality seems very different.<br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">We wonder what your customers will have to say about that?</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">[2] [REDACTED] and general DTC related data</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">Once again failing to protect very sensitive data and communications of your customers.</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">[3] Infrastructure and sequencing pipeline data / scripts&nbsp;</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">Everything from documentation to project specs to produced VCFs and PDF reports post-analysis were collected.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">More importantly, a full deep dive of your network infrastructure </span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">documentation and access.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">The only way to kick us out is to buy all new hardware, including </span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">network equipment (UTM / switches) and sequencing / data storage systems.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">Someone could have quietly modified your [REDACTED] pipeline instead </span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">of contacting you, causing you much bigger issues (legal, financial and </span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">otherwise).<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">Can you really trust your results, if you can't trust your input </span><span style="font-family: 'Courier New', Courier, monospace;">data and processing pipelines?</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">II. Internal Data &amp; Communications</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">[1] ERP/CRM Systems (NEOE, Dynamics)<br></span><span style="font-family: 'Courier New', Courier, monospace;">[2] Active Directory dump with credential history (NTDS + passive credential collection)<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">[3] DO GW with DB (your groupware contains a lot of data)<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">[4] Exchange email communications (PST) of targeted important employees in various roles<br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">[5] Financial / Accounting / Research / IT / Customer / Etc. documents</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">- A lot of documents and other files were collected from SHARE/NEWSHARE machines among other servers<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">- Your DLP and monitoring was rendered effectively useless and could not stop us, neither could your security team and defensive products</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">We have also encrypted critical Windows and Linux servers.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">We recommend that you do NOT restart servers or recovery may be slower.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">The good news for you is that we can:<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">- Decrypt all files with extension ".mcrgnx" very quickly<br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">- Delete all sensitive data we have exfiltrated, instead of selling it<br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">- Help you improve your security<br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">- Disappear and not be your problem anymore</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">All you have to do is follow the instructions:<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">1.) Download Tor Browser: https[://]www[.]torproject.org/download/<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">2.) Go to our website: http[://]gwisin:fa5d9dfc@gwisin4yznpdtzq424i3la6oqy5evublod4zbhddzuxcnr34kgfokwad[.]onion<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">3.) Login with username: mcrgnx, password: [REDACTED]<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">4.) Change password (one time setup)<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">5.) Setup end-to-end message encryption password<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">6.) Read the full instructions on the website and contact us using the message system provided there</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">[WARNING - #1] <br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">If you are having trouble reaching our website, attempt closing and re-opening the Tor browser.<br></span><span style="background-color: transparent; font-family: 'Courier New', Courier, monospace;">If you are still unable to reach our website, create a DNS TXT record @ mcrgnx.[REDACTED].com containing a hex-encoded email address and we will contact you.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">However, eventually we will need to communicate using our website to preserve the privacy of all parties involved.&nbsp;</span></p>
<p style="font-size: 14px;"><span style="font-family: 'Courier New', Courier, monospace;">[WARNING - #2]<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">Do NOT contact law enforcement (such as NPA, KISA or SMPA) or threat intelligence organizations as they may prevent you from recovering quickly.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">They can't really help you and they don't care if your business is destroyed in the process.<br></span><span style="font-family: 'Courier New', Courier, monospace; background-color: transparent;">Contact us within 72 working hours, so we can negotiate in good faith and resolve this quickly.</span></p>
<h2 style="font-size: 24px; font-weight: bold;">Campaign Markers</h2>
<h2 style="font-size: 18px; font-weight: bold;">Indicators of Compromise</h2>
<p>The following are indicators of compromise (IOCs) assembled from GwisinLocker.Linux samples used in the wild.&nbsp;</p>
<h3 style="font-size: 18px; font-weight: bold;">Filesystem</h3>
<p>The following hashes and strings correspond to files associated with active GwisinLocker.Linux variants and attacks.&nbsp;</p>
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2; height: 497px; width: 514px;" width="547" height="382">
<tbody>
<tr style="height: 80px;">
<td style="background-color: #f4f5f7; border: 0.75pt solid #c1c7d0; width: 273px; height: 80px;">
<p style="font-size: 14px;"><strong><span style="color: #172b4d;">SHA1 Hash (Filename)</span></strong></p>
</td>
<td style="background-color: #f4f5f7; border: 0.75pt solid #c1c7d0; width: 241px; height: 80px;">
<p style="font-size: 14px;"><strong><span style="color: #172b4d;">Description</span></strong></p>
</td>
</tr>
<tr style="height: 104px;">
<td style="border: 0.75pt solid #c1c7d0; width: 273px; height: 104px;">
<p>(/tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe)</p>
</td>
<td style="border: 0.75pt solid #c1c7d0; width: 241px; height: 104px;">
<p>Mutex</p>
</td>
</tr>
<tr style="height: 104px;">
<td style="border: 0.75pt solid #c1c7d0; width: 273px; height: 104px;">
<p>(!!!_HOW_TO_UNLOCK_MCRGNX_FILES_!!!.TXT)</p>
</td>
<td style="border: 0.75pt solid #c1c7d0; width: 241px; height: 104px;">
<p>Ransom Note</p>
</td>
</tr>
<tr style="height: 104px;">
<td style="border: 0.75pt solid #c1c7d0; width: 273px; height: 104px;">
<p>ce6036db4fee35138709f14f5cc118abf53db112</p>
</td>
<td style="border: 0.75pt solid #c1c7d0; width: 241px; height: 104px;">
<p>GwisinLocker Ransomware (32-bit ELF)</p>
</td>
</tr>
<tr style="height: 104px;">
<td style="border: 0.75pt solid #c1c7d0; width: 273px; height: 104px;">
<p>e85b47fdb409d4b3f7097b946205523930e0c4ab</p>
</td>
<td style="border: 0.75pt solid #c1c7d0; width: 241px; height: 104px;">
<p>GwisinLocker Ransomware (64-bit ELF)</p>
</td>
</tr>
</tbody>
</table>
<p style="font-size: 18px;">&nbsp;</p>
<p style="font-size: 18px; font-weight: bold;"><span style="color: #434343;">Processes</span></p>
<p>The following processes are associated with active GwisinLocker.Linux variants.</p>
<p><span style="font-family: terminal, monospace;">esxcli --formatter=csv --format-param=fields=="DisplayName,WorldID" vm process list</span></p>
<p><span style="font-family: terminal, monospace;">esxcli vm process kill --type=force --world-id="[ESXi] Shutting down - %s"</span></p>
<p style="font-size: 18px; font-weight: bold;">Payment</p>
<p>GwisinLocker.Linux victims are required to log into a portal operated by the group and establish private communications channels for completing ransom payments. As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group.&nbsp;</p>
<h2 style="font-size: 24px; font-weight: bold;">Significance</h2>
<p>GwisinLocker.Linux is notable for being a new ransomware variant from a heretofore little-known threat actor. The malware’s exclusive focus on prominent South Korean firms and references to South Korean law enforcement entities as well as the use of Korean (Hangul) script in ransom notes suggest the threat actor is familiar with both South Korean language and culture. That could suggest that Gwisin group is a North Korea based threat actor, given that nation’s aggressive use of offensive hacking, including the use of ransomware, to target South Korean government agencies and private sector firms.&nbsp;</p>
<p>The group’s apparent ability to compromise and maintain persistent access to victim environments prior to deploying the GwisinLocker.Linux ransomware, as well as the group’s use of double extortion attacks involving the theft of sensitive data suggest that Gwisin possesses sophisticated offensive cyber capabilities. South Korean firms in sectors targeted by Gwisin including heavy industry and pharmaceuticals should be particularly alert for attacks and indicators of compromise. However, the risk posed by Gwisin likely extends to South Korean firms in other sectors, as well.&nbsp;</p>
<h2 style="font-size: 24px; font-weight: bold;">Conclusions</h2>
<p>GwisinLocker is a significant new ransomware family that has been used in attacks on prominent South Korean industrial and pharmaceutical firms. Our analysis of a variant of GwisinLocker that targets Linux-based systems reveals a sophisticated piece of malware with features specially designed to manage Linux hosts and operate and interact with VMWare ESXI virtual machines.&nbsp;</p>
<p>Analysis and public reporting of the larger GwisinLocker campaign suggests the ransomware is in the hands of sophisticated threat actors who gain access to- and control over target environments prior to the deployment of the ransomware. That includes identifying and stealing sensitive data for use in so-called “double extortion” campaigns. Details in samples of the group’s ransom notes suggest a familiarity with the Korean language as well as South Korean government and law enforcement. This has led to speculation that Gwisin may be a North Korean-linked advanced persistent threat (APT) group.&nbsp;</p>
<p>This threat should be of particular concern to industrial and pharmaceutical companies in South Korea, which account for the bulk of Gwisin’s victims to date. However, it is reasonable to assume that this threat actor may expand its campaigns to organizations in other sectors, or even outside of South Korea.&nbsp;</p>
<p>Firms concerned with GwisinLocker should review the Indicators of Compromise in this report and make those available to internal- or external threat hunting teams.</p></span>
<div id="hs_cos_wrapper_module_16770726333806" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
<p style="font-size: 18px;"><span style="font-family: Helvetica, Arial, sans-serif;"><em>Learn about <a href="https://www.reversinglabs.com/products/software-supply-chain-security" rel="noopener">ReversingLabs Software Supply Chain Security</a>, see the <a href="https://www.reversinglabs.com/software-supply-chain-security-free-trial" rel="noopener">three-minute demo — and start a free trial</a>. Who is ReversingLabs? <a href="https://www.reversinglabs.com/reversingglass/who-is-reversinglabs" rel="noopener">Matt Rose explains</a>.&nbsp;</em></span></p> 
</div>
<div id="hs_cos_wrapper_module_1665507034702351" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
<h2 class="keep-learning-heading">Keep learning</h2>
<ul class="keep-learning-list">
<li><a href="https://www.reversinglabs.com/blog/tools-gap-leaves-the-software-supply-chain-exposed-why-you-need-to-upgrade-your-application-security">Supply Chain Risk Report: Learn why you need to upgrade your app sec tools</a></li>
<li><a href="https://www.reversinglabs.com/webinar/deconstructing-3cx-red-flags-misses-and-failures-to-address-the-software-supply-chain-threat">See Webinar: Deconstructing the 3CX Software Supply Chain Attack</a></li>
<li><a href="https://www.reversinglabs.com/the-evolution-of-application-security">Learn more: SCA tools and how app sec is evolving to tackle supply chain security</a></li>
<li><a href="https://www.reversinglabs.com/blog/how-to-harden-ml-models-against-adversarial-attacks">Learn how to to harden machine learning models against attacks</a></li>
<li><a href="https://www.reversinglabs.com/the-state-of-software-supply-chain-security">Track key trends, what's ahead: The State of Supply Chain Security 2022-23</a></li>
</ul>
</div>
<ul class="tag-list-inline">
<li class="tag-list-inline__item--text">Tags: </li>  
<li class="tag-list-inline__item"><a class="tag-list-inline__item-link" href="https://www.reversinglabs.com/blog/tag/threat-research">Threat Research</a></li>
<li class="tag-list-inline__item"><a class="tag-list-inline__item-link" href="https://www.reversinglabs.com/blog/tag/ransomware">Ransomware</a></li>
</ul>
</div>
<div class="custom-related-post-wrapper">
<div class="custom-blog-related-post">
<h3 class="hs-related-title">
<span>
MORE BLOG ARTICLES
</span>
</h3>
<div class="related-post-item-wrapper">
<!-- Set the max number of posts to be output to the page here -->
<div class="related-post-item">
<div class="related-post-item-inner">
<div class="related-image">
<a href="https://www.reversinglabs.com/blog/the-week-in-security-hackers-target-crypto-and-stock-traders-another-malicious-npm-campaign">
<img src="https://3375217.fs1.hubspotusercontent-na1.net/hub/3375217/hubfs/hackers-target-crypto-trading-winrar.jpg?width=480&amp;name=hackers-target-crypto-trading-winrar.jpg" alt="The Week in Security:&nbsp;WinRAR exploit targets traders, malicious npm packages go after game devs">
</a>
</div>
<div class="related-content-wapper">
<div class="custom-blog-date">
<span class="custom-topic">
<a class="topic-link" href="https://www.reversinglabs.com/blog/tag/the-week-in-security">The Week in Security</a>
</span>  |                         
<span class="custom-date">
August 24, 2023
</span>
</div>
<div class="related-title"><a href="https://www.reversinglabs.com/blog/the-week-in-security-hackers-target-crypto-and-stock-traders-another-malicious-npm-campaign">The Week in Security:&nbsp;WinRAR exploit targets traders, malicious npm packages go after game devs</a></div>
<div class="post-body clearfix">
Hackers are exploiting a zero-day to target crypto and stock traders, RL discovers over a dozen malicious npm packages targeting Roblox game developers.
</div>
<a class="rel-more-link" href="https://www.reversinglabs.com/blog/the-week-in-security-hackers-target-crypto-and-stock-traders-another-malicious-npm-campaign">Read More</a>
</div>
</div>
</div>
<div class="related-post-item">
<div class="related-post-item-inner">
<div class="related-image">
<a href="https://www.reversinglabs.com/blog/supply-chain-security-debt-weighing-down">
<img src="https://3375217.fs1.hubspotusercontent-na1.net/hub/3375217/hubfs/supply-chain-security-technical-debt.jpg?width=480&amp;name=supply-chain-security-technical-debt.jpg" alt="Supply chain security: Is technical debt&nbsp;weighing your team down?">
</a>
</div>
<div class="related-content-wapper">
<div class="custom-blog-date">
<span class="custom-topic">
<a class="topic-link" href="https://www.reversinglabs.com/blog/tag/software-supply-chain-security">Software Supply Chain Security</a>
</span>  |                         
<span class="custom-date">
August 23, 2023
</span>
</div>
<div class="related-title"><a href="https://www.reversinglabs.com/blog/supply-chain-security-debt-weighing-down">Supply chain security: Is technical debt&nbsp;weighing your team down?</a></div>
<div class="post-body clearfix">
Vulnerability management and piecemeal app sec testing are like paying the interest only on mounting security technical debt. Where do you stand?
</div>
<a class="rel-more-link" href="https://www.reversinglabs.com/blog/supply-chain-security-debt-weighing-down">Read More</a>
</div>
</div>
</div>
<div class="related-post-item">
<div class="related-post-item-inner">
<div class="related-image">
<a href="https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm">
<img src="https://3375217.fs1.hubspotusercontent-na1.net/hub/3375217/hubfs/Blog/Roblox-API-packages-delivering-Luna-Grabber.jpg?width=480&amp;name=Roblox-API-packages-delivering-Luna-Grabber.jpg" alt="Fake Roblox packages target npm with Luna Grabber information-stealing malware">
</a>
</div>
<div class="related-content-wapper">
<div class="custom-blog-date">
<span class="custom-topic">
<a class="topic-link" href="https://www.reversinglabs.com/blog/tag/software-supply-chain-security">Software Supply Chain Security</a>
</span>  |                         
<span class="custom-date">
August 22, 2023
</span>
</div>
<div class="related-title"><a href="https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm">Fake Roblox packages target npm with Luna Grabber information-stealing malware</a></div>
<div class="post-body clearfix">
ReversingLabs identified more than a dozen malicious packages targeting Roblox users on the npm public repository, recalling an attack from 2021. 
</div>
<a class="rel-more-link" href="https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm">Read More</a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-5 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget conversing__listing" style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1659699938367157" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">

<!--  -->


<div class="blog-listing-cards blog-section--resources blog-section--redesign-2019 ">
  <div class="blog-listing-wrapper cell-wrapper">
    <div class="blog-section">
      <div class="blog-listing-wrapper cell-wrapper">
        <div class="post-listing">
        
          
        </div>
      </div>
    </div>
    <!-- load more btn -->
   
    
    
 
  </div>
</div>
</div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
<div class="span4 widget-span widget-type-cell right-side conversing--right-side" style="" data-widget-type="cell" data-x="8" data-w="4">

<div class="row-fluid-wrapper row-depth-1 row-number-6 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_165969979273087" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="side-categories">
<h2>Topics</h2>
<ul>
  
    <li><a href="https://www.reversinglabs.com/blog"><img alt="" src="https://www.reversinglabs.com/hubfs/tag.svg" width="24">All Blog Posts</a></li>
  
    <li><a href="https://www.reversinglabs.com/blog/tag/software-supply-chain-security"><img alt="" src="https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=24&amp;name=puzzle.png" width="24" srcset="https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=12&amp;name=puzzle.png 12w, https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=24&amp;name=puzzle.png 24w, https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=36&amp;name=puzzle.png 36w, https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=48&amp;name=puzzle.png 48w, https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=60&amp;name=puzzle.png 60w, https://www.reversinglabs.com/hs-fs/hubfs/images/puzzle.png?width=72&amp;name=puzzle.png 72w" sizes="(max-width: 24px) 100vw, 24px">Software Supply Chain Security</a></li>
  
    <li><a href="https://www.reversinglabs.com/blog/tag/dev-devsecops"><img alt="" src="https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=24&amp;name=tag-dev-devsec-ops.png" width="24" srcset="https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=12&amp;name=tag-dev-devsec-ops.png 12w, https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=24&amp;name=tag-dev-devsec-ops.png 24w, https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=36&amp;name=tag-dev-devsec-ops.png 36w, https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=48&amp;name=tag-dev-devsec-ops.png 48w, https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=60&amp;name=tag-dev-devsec-ops.png 60w, https://www.reversinglabs.com/hs-fs/hubfs/images/tag-dev-devsec-ops.png?width=72&amp;name=tag-dev-devsec-ops.png 72w" sizes="(max-width: 24px) 100vw, 24px">Dev &amp; DevSecOps</a></li>
  
    <li><a href="https://www.reversinglabs.com/blog/tag/threat-research"><img alt="" src="https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=24&amp;name=ico-threat-research.png" width="24" srcset="https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=12&amp;name=ico-threat-research.png 12w, https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=24&amp;name=ico-threat-research.png 24w, https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=36&amp;name=ico-threat-research.png 36w, https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=48&amp;name=ico-threat-research.png 48w, https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=60&amp;name=ico-threat-research.png 60w, https://www.reversinglabs.com/hs-fs/hubfs/images/ico-threat-research.png?width=72&amp;name=ico-threat-research.png 72w" sizes="(max-width: 24px) 100vw, 24px">Threat Research</a></li>
  
    <li><a href="https://www.reversinglabs.com/blog/tag/security-operations"><img alt="" src="https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=24&amp;name=alarm.png" width="24" srcset="https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=12&amp;name=alarm.png 12w, https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=24&amp;name=alarm.png 24w, https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=36&amp;name=alarm.png 36w, https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=48&amp;name=alarm.png 48w, https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=60&amp;name=alarm.png 60w, https://www.reversinglabs.com/hs-fs/hubfs/images/alarm.png?width=72&amp;name=alarm.png 72w" sizes="(max-width: 24px) 100vw, 24px">Security Operations</a></li>
  
    <li><a href="https://www.reversinglabs.com/blog/tag/products-technology"><img alt="" src="https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=24&amp;name=terminal.png" width="24" srcset="https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=12&amp;name=terminal.png 12w, https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=24&amp;name=terminal.png 24w, https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=36&amp;name=terminal.png 36w, https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=48&amp;name=terminal.png 48w, https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=60&amp;name=terminal.png 60w, https://www.reversinglabs.com/hs-fs/hubfs/images/terminal.png?width=72&amp;name=terminal.png 72w" sizes="(max-width: 24px) 100vw, 24px">Products &amp; Technology</a></li>
  
    <li><a href="https://www.reversinglabs.com/blog/tag/company-events"><img alt="" src="https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=24&amp;name=calendar-three.png" width="24" srcset="https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=12&amp;name=calendar-three.png 12w, https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=24&amp;name=calendar-three.png 24w, https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=36&amp;name=calendar-three.png 36w, https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=48&amp;name=calendar-three.png 48w, https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=60&amp;name=calendar-three.png 60w, https://www.reversinglabs.com/hs-fs/hubfs/images/calendar-three.png?width=72&amp;name=calendar-three.png 72w" sizes="(max-width: 24px) 100vw, 24px">Company &amp; Events</a></li>
  
  </ul>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-7 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_165969981197093" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="sidebar-social">
  <h2>Follow us</h2>
  <ul>
    
      <li><a class="icon-twitter" href="https://twitter.com/reversinglabs" target="_blank" rel="nofollow"><span>Twitter</span></a></li>
    
      <li><a class="icon-linkedin" href="https://www.linkedin.com/company/reversinglabs" target="_blank" rel="nofollow"><span>Linkedin</span></a></li>
    
      <li><a class="icon-youtube-play" href="https://www.youtube.com/user/reversinglabs" target="_blank" rel="nofollow"><span>Youtube play</span></a></li>
    
  </ul>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-8 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_165969980154689" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="side-subscribe" style="border: 1px solid #f6143f;  border-radius: 10px; box-shadow: 11px 11px 0px 0px #f6143f;">
  <h2>SUBSCRIBE</h2>
  <span>Get our blog delivered to your in-box weekly to stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.</span>
   <div class="side-subscribe__form">
      <span id="hs_cos_wrapper_module_165969980154689_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_198461474_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3>

<div id="hs_form_target_form_198461474"></div>









</span>
    </div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-9 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_165969980500891" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="featured-articles">
  
  <h2>Special Reports</h2>
  <ul>
    
    
     
    <li>
          <a href="https://www.reversinglabs.com/software-supply-chain-security-risk-report">Software Supply Chain Risk Report: Tooling Gap Leaves Orgs Exposed</a> <br>
          <span class="featured-articles__date">July 26, 2023</span>
    </li>
    
    
     
    <li>
          <a href="https://www.reversinglabs.com/the-evolution-of-application-security">The Evolution of App Sec: Why You Need to Go Beyond SCA | Special Report</a> <br>
          <span class="featured-articles__date">February 14, 2023</span>
    </li>
    
    
     
    <li>
          <a href="https://www.reversinglabs.com/the-state-of-software-supply-chain-security">The State of Software Supply Chain Security | Special Report</a> <br>
          <span class="featured-articles__date">June 27, 2023</span>
    </li>
    
    
     
    <li>
          <a href="https://www.reversinglabs.com/secrets-exposed">An Essential Guide to Securing Secrets in Software | Special Report</a> <br>
          <span class="featured-articles__date">March 21, 2023</span>
    </li>
    
  </ul>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-10 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1683729058464128" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="latest-article">

   


  
     <div>
        <a href="https://www.reversinglabs.com/conversinglabs/creating-the-standard-for-supply-chain-risk"><img src="https://www.reversinglabs.com/hubfs/ConversingLabs/ConversingLabs-S4E10-Creating-the-Standard-for-Supply-Chain-Risk.jpg" alt="Creating the Standard for Supply Chain Risk"></a>
        <a href="https://www.reversinglabs.com/conversinglabs/creating-the-standard-for-supply-chain-risk" class="latest-article__post-link">Creating the Standard for Supply Chain Risk</a>
        <div class="latest-article__post-text"> Conversations About Threat Hunting and Software Supply Chain Security</div>
     </div>
  
  
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-11 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1683729076482137" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="latest-article">

  

  
     <div>
        <a href="https://www.reversinglabs.com/reversingglass/trust-in-software-must-be-complete"><img src="https://www.reversinglabs.com/hubfs/ReversingGlass-Trust-in-your-software-MUST-be-complete-1400x732-Featured-Social.jpg" alt="ReversingGlass: Trust must be complete"></a>
        <a href="https://www.reversinglabs.com/reversingglass/trust-in-software-must-be-complete" class="latest-article__post-link">ReversingGlass: Trust must be complete</a>
        <div class="latest-article__post-text"> Glassboard conversations with ReversingLabs Field CISO Matt Rose</div>
     </div>
  
  
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-12 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1683729083116139" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="latest-article">

   


  
     <div>
        <a href="https://www.reversinglabs.com/software-package-deconstruction-series/deconstructing-onedrive-dropbox-"><img src="https://www.reversinglabs.com/hubfs/Software-Package-Deconstruction-OneDrive-and%20Dropbox-1400x732.jpg" alt="Software Package Deconstruction: OneDrive and Dropbox"></a>
        <a href="https://www.reversinglabs.com/software-package-deconstruction-series/deconstructing-onedrive-dropbox-" class="latest-article__post-link">Software Package Deconstruction: OneDrive and Dropbox</a>
        <div class="latest-article__post-text"> Analyzing Risks To Your Software Supply Chain</div>
     </div>
  
  
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end body -->
</div><!--end body wrapper -->

<div class="footer-container-wrapper">
    <div class="footer-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1564575137111154" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><footer class="site-footer">

  <div class="site-footer__container">
    <span class="site-footer__to-top-button"><span class="icon-chevron-down"></span></span>

    <div class="site-footer__slogan">
        The Software Supply Chain Security Platform for Dev and SOC Teams
      <div class="footer-cta-container">
        <a class="footer-cta" href="https://www.reversinglabs.com/the-state-of-software-supply-chain-security">Special Report: The State of Software Supply Chain Security</a>
      </div>
    
    </div>
    

    <div class="site-footer__list-container">
      
        <ul class="site-footer__list">
          <li class="site-footer__list-item site-footer__list-item--title"></li>
        
          <li class="site-footer__list-item"><a href="https://www.reversinglabs.com/company/about-us">About Us</a></li>
        
          <li class="site-footer__list-item"><a href="https://www.reversinglabs.com/company/careers-old">Careers</a></li>
        
        </ul>
      
        <ul class="site-footer__list">
          <li class="site-footer__list-item site-footer__list-item--title"></li>
        
          <li class="site-footer__list-item"><a href="https://www.reversinglabs.com/contact-us">Contact Us</a></li>
        
          <li class="site-footer__list-item"><a href="https://www.reversinglabs.com/events">Events</a></li>
        
        </ul>
      
        <ul class="site-footer__list">
          <li class="site-footer__list-item site-footer__list-item--title"></li>
        
          <li class="site-footer__list-item"><a href="https://www.reversinglabs.com/newsroom/news">In the News</a></li>
        
          <li class="site-footer__list-item"><a href="https://www.reversinglabs.com/glossary">Glossary</a></li>
        
        </ul>
      
      <ul class="site-footer__list">
        <li class="site-footer__list-item site-footer__list-item--title"></li>        
        <li class="site-footer__list-item"><span class="icon-twitter"></span><a href="https://twitter.com/reversinglabs">Twitter</a></li>
        <li class="site-footer__list-item"><span class="icon-linkedin"></span><a href="https://www.linkedin.com/company/reversinglabs">LinkedIn</a></li>
      </ul>
      <ul class="site-footer__list">
        <li class="site-footer__list-item site-footer__list-item--title"></li>         
        <li class="site-footer__list-item"><span class="icon-facebook"></span><a href="https://www.facebook.com/reversinglabs">Facebook</a></li>
        <li class="site-footer__list-item"><span class="icon-instagram"></span><a href="https://www.instagram.com/reversinglabs">Instagram</a></li>
      </ul>   
      <ul class="site-footer__list">
        <li class="site-footer__list-item site-footer__list-item--title"></li>         
        <li class="site-footer__list-item"><span class="icon-youtube-play"></span><a href="https://www.youtube.com/user/reversinglabs">YouTube</a></li>
        <li class="site-footer__list-item"><span class="icon-rss"></span><a href="https://blog.reversinglabs.com/blog/rss.xml">RSS</a></li>
      </ul>        
    </div>
    
    <div class="site-footer__copy">
      All rights reserved ReversingLabs © 2023 | 
      <a href="https://www.reversinglabs.com/privacy-policy">Privacy Policy</a> | 
      <a href="https://www.reversinglabs.com/cookie-policy">Cookies</a>
    </div>
  </div>
  


</footer>
<!-- jQuery -->






      



  
  
  <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.7.0/jquery.min.js" integrity="sha512-3gJwYpMe3QewGELv8k/BX9vcqhryRdzRMxVfq6ngyWXwo03GFEzjsUm8Q7RZcHPHksttq7/GFoxjCVUjkjvPdw==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
      
</div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end footer -->
</div><!--end footer wrapper -->

    
<!-- HubSpot performance collection script -->
<script defer src="https://static.hsappstatic.net/content-cwv-embed/static-1.388/embed.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/6021916068/1569840500063/Reversinglabs_July2018_Theme/Coded_Files/simple-lightbox-min.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/11190015046/1639664698263/Redesign_june_2019/Coded_Files/JS/rd-2019-main.min.js"></script>
<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/28203361861/1586494134457/Redesign_june_2019/Coded_Files/JS/jscookie.min.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/21052151416/1577281626952/Redesign_june_2019/Custom_Modules/Sliders/JS/tiny-slider.min.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/28186900061/1683494323317/module_28186900061_StickyBar.min.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/template_assets/11395370929/1569840498778/Redesign_june_2019/Coded_Files/JS/micromodal.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/1563505647431/module_11395370497_Redesign_june_2019_Custom_Modules_Site_Search_Input_-_Header_Modal.min.js"></script>
<script src="https://www.reversinglabs.com/hs-fs/hub/3375217/hub_generated/module_assets/36845096476/1683635694467/module_36845096476_Blog_listing_card_grid.min.js"></script>

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->

<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

    <script data-hs-allowed="true">
        var options = {
            portalId: '3375217',
            formId: '24abef2a-a2f4-4889-8899-dd4026584fa9',
            formInstanceId: '1392',
            pageId: '81113493911',
            region: 'na1',
            
            
            
            
            pageName: "GwisinLocker ransomware\u00A0targets South Korean industrial and pharma firms",
            
            
            
            inlineMessage: "<p>Thanks for your interest in our blog.&nbsp; You will receive an email when new blogs are published!</p>",
            
            
            rawInlineMessage: "<p>Thanks for your interest in our blog.&nbsp; You will receive an email when new blogs are published!</p>",
            
            
            hsFormKey: "77c7e9a596cc04f5b6f8a89ace6b0db9",
            
            
            css: '',
            target: '#hs_form_target_form_198461474',
            
            
            
            
            
            contentType: "blog-post",
            
            
            
            formsBaseUrl: '/_hcms/forms/',
            
            
            
            formData: {
                cssClass: 'hs-form stacked hs-custom-form'
            }
        };

        options.getExtraMetaDataBeforeSubmit = function() {
            var metadata = {};
            

            if (hbspt.targetedContentMetadata) {
                var count = hbspt.targetedContentMetadata.length;
                var targetedContentData = [];
                for (var i = 0; i < count; i++) {
                    var tc = hbspt.targetedContentMetadata[i];
                     if ( tc.length !== 3) {
                        continue;
                     }
                     targetedContentData.push({
                        definitionId: tc[0],
                        criterionId: tc[1],
                        smartTypeId: tc[2]
                     });
                }
                metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData);
            }

            return metadata;
        };

        hbspt.forms.create(options);
    </script>


<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/www.reversinglabs.com\/blog\/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies"]);
_hsq.push(["setPageId", "81113493911"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 81113493911,
    "legacyPageId": "81113493911",
    "contentFolderId": null,
    "contentGroupId": 5901382633,
    "abTestId": null,
    "languageVariantId": 81113493911,
    "languageCode": "en",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/3375217.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    render_id: "8672239f-a9ff-4b59-a3a9-538e766166e6",
    ticks: 1693048177988,
    page_id: 81113493911,
    
    content_group_id: 5901382633,
    portal_id: 3375217,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en",
    analytics_page_type: "blog-post",
    analytics_page_id: "81113493911",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.191/js/index.js"></script>

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-MKL9P8B" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->

<script type="text/javascript" id="cookieinfo" src="https://cookieinfoscript.com/js/cookieinfo.min.js" data-message="This website uses cookies to ensure the best website experience. By continuing to use this website you are giving your consent to cookies being used. Detailed information about our use of cookies is " data-linkmsg="here." data-moreinfo="https://www.reversinglabs.com/cookie-policy">
</script>

<script src="https://js.adsrvr.org/up_loader.1.1.0.js" type="text/javascript"></script>
<script type="text/javascript">
  ttd_dom_ready( function() {
    if (typeof TTDUniversalPixelApi === 'function') {
      var universalPixelApi = new TTDUniversalPixelApi();
      universalPixelApi.init("7qhctws", ["8t4axvj"], "https://insight.adsrvr.org/track/up");
    }
  });
</script>

<script>
  (function () {
    var zi = document.createElement('script');
    zi.type = 'text/javascript';
    zi.async = true;
    zi.src = 'https://ws.zoominfo.com/pixel/JrRu3vUM8j33QSR7Bwxw';
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(zi, s);
  })();
</script>
<noscript>
  <img src="https://ws.zoominfo.com/pixel/JrRu3vUM8j33QSR7Bwxw" width="1" height="1" style="display: none;">
</noscript>

<div id="fb-root"></div>
 <script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1&status=0";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
 <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
 


    <script>
$(document).ready(function(){
  var lightbox = $('.lightbox-image').simpleLightbox();
});
</script>
    <!-- Generated by the HubSpot Template Builder - template version 1.03 -->

</body></html>